Systems and Methods for Context-Based Permissioning of Personally Identifiable Information

ABSTRACT

A method is provided, including establishing a plurality of context profiles for a user, at least one context profile is associated with: (i) subject areas pertinent to the at least one context profile (ii) permissions identifying respective third parties with which personal information can be shared when the at least one context profile is active; (iii) permissions identifying what personal information can be shared with respective third parties when the at least one context profile is active; (iv) permissions identifying respective third parties that are permitted to contact the user when the at least one context profile is active; and (v) permissions identifying how respective third parties may contact the user when the at least one context profile is active; when the at least one context profile is active, operating in one of two or more modes (e.g., a regular mode or a discovery mode).

TECHNICAL FIELD

The disclosed implementations relate generally to systems and methodscontext-based permissioning of personally identifiable information.

BACKGROUND

Personally identifiable information, or “PII,” is information that canbe used, either alone or in combination with other information, touniquely identify a particular person. In the modern computing age,users generate significant amounts of PII in their day-to-day lives,often without awareness that they are doing so, or without appreciatingthe extent to which the information allows them to be uniquelyidentified. As devices are able to collect increasingly more data aboutusers (and more sensitive data, such as health information, locationinformation, etc.), privacy concerns about PII are becoming moregermane.

Currently, each collector of PII is responsible for informing users whatdata is being collected and how it is being used and for what purpose.However, with so many different entities collecting, storing, and usinga person's PII, it is difficult for people to understand exactly whichentities they have permitted to collect their PII, and what thoseentities are permitted to do with their PII. Many such agreements allowthe collector of PII to a fair amount of freedom in usage to do whatthey choose with the PII, and at any time. Thus, users are typically notin control of who has their PH, how it is being used, and when.Regulators and governments are becoming increasingly aware of thisproblem, and are looking to enact legislation which will mandates howand which controls be put in place.

Moreover, most agreements governing an entities rights andresponsibilities with respect to PII are non-negotiable “take it orleave it” type of agreements—the user must either accept the terms, orforgo using a particular service. For example, the terms of usegoverning a blood-pressure monitoring application and/or device mayauthorize the provider to record and store blood-pressure information,and, possibly, share the information with third parties. Such agreementsdo not allow the user to provide any restrictions, for example, on thewhen the provider can record data, when the data can be shared, what thedata can be used for, or who it can be shared with. Users could simplyrefuse to agree to the stated terms, but then they will be unable to usethe service or device. In other instances, agreements are so complex andlong that the majority of users are either unqualified or unable tounderstand the right they are providing. Such extensive “catch all” useragreements also create an impediment for users to understand or evenappreciate the extent of their permissions. Accordingly, users are leftwith a choice between authorizing sweeping access to sensitive PII, orbeing unable to use beneficial and valuable modern technologies. Forvarious reasons, users often accept the terms, thus giving upsubstantial control of sensitive PII.

SUMMARY

Accordingly, it would be advantageous to provide systems and methodsthat allow users to control what PII information is shared, with whom itis shared, and when it is shared. Moreover, it would be advantageous toprovide systems, methods, and user interfaces whereby users can controlmultiple types of PII and multiple consumers of PII in a single, easy tounderstand and easy to use environment.

In accordance with some implementations, a method for providing accessto personal information of a user is disclosed. The method is performedat one or more electronic devices (e.g., a client device and/or a serversystem with one or more electronic devices) with one or more processorsand memory storing one or more programs for execution by the one or moreprocessors. The method includes establishing a plurality of contextprofiles for a user, wherein at least one context profile of theplurality of context profiles is associated with: (i) a set of one ormore subject areas pertinent to the at least one context profile (e.g.,gas-stations and fast food restaurants are example subject areas thatmay be associated with a “travel” context profile); (ii) a first set ofone or more permissions identifying respective third parties with whichpersonal information can be shared when the at least one context profileis active; (iii) a second set of one or more permissions identifyingwhat personal information can be shared with respective third partieswhen the at least one context profile is active; (iv) a third set of oneor more permissions identifying respective third parties that arepermitted to contact the user when the at least one context profile isactive; and (v) a fourth set of one or more permissions identifying howrespective third parties may contact the user when the at least onecontext profile is active. The method further includes, when the atleast one context profile is active, operating in one of two or moremodes. The method includes, in a regular mode, performing at least oneof: sharing personal information with respective third parties inaccordance with the first set of one or more permissions and the secondset of one or more permissions; and receiving information fromrespective third parties in accordance with the third set of one or morepermissions and the fourth set of one or more permissions. The methodfurther includes, in a discovery mode, performing at least one of: (i)sharing personal information with first additional third parties inaccordance with an expanded version of the first set of one or morepermissions, wherein the first additional third parties are eachassociated with at least one subject area of the set of one or moresubject areas pertinent to the at least one context profile; (ii)sharing additional personal information with respective third parties inaccordance with an expanded version of the second set of one or morepermissions; (iii) receiving information from second additional thirdparties in accordance with an expanded version of the third set of oneor more permissions, wherein the second additional third parties areeach associated with at least one subject area of the set of one or moresubject areas pertinent to the at least one context profile; and (iv)receiving information from respective third parties in accordance withan expanded version of the fourth set of one or more permissions.

In accordance with some embodiments, the fourth set of one or morepermissions identifying how third parties may contact the user includes,a first subset of permissions identifying times when third parties arepermitted to contact the user, and a second subset of permissionsidentifying communication types that third parties are permitted to useto contact the user.

In accordance with some embodiments, the fourth set of one or morepermissions identifying how third parties may contact the user includes,a third subset of permissions identifying times when third parties arenot permitted to contact the user, and a fourth subset of permissionsidentifying communication types that third parties are not permitted touse to contact the user.

In accordance with some embodiments, the method further includes,receiving a permission from the user to enter the discovery mode fromthe regular mode.

In accordance with some embodiments, the method further includes, whenthe at least one context profile is active, in an emergency mode,sharing personal information with respective third parties.

In accordance with some embodiments, the method further includes, whenthe at least one context profile is active, determining a modeautomatically without user input.

In accordance with some embodiments, the plurality of context profilesis stored on a first electronic device of the one or more electronicdevices, and the personal information of the user is stored on a secondelectronic device of the one or more electronic devices, such that thesecond electronic device is distinct from the first electronic device.

In accordance with some implementations, a computer system (e.g., aclient system or server system) includes one or more processors, memory,and one or more programs; the one or more programs are stored in thememory and configured to be executed by the one or more processors andthe one or more programs include instructions for performing theoperations of the method described above. In accordance with someimplementations, a non-transitory computer readable storage medium hasstored therein instructions which when executed by one or moreprocessors, cause a computer system (e.g., a client system or serversystem) to perform the operations of the methods described above.

The disclosed systems and methods put the individual in control of hisor her personally identifiable information, and allow fine-grainedcontrol over how, when and with whom it is shared. Indeed, the disclosedsystems and methods enable a change in the current PII paradigm whereindividuals must agree to terms-and-conditions that grant a requestorsweeping permissions, allowing corporations and other entities to decidewhat data they collect and store, and how and when they can use it.Rather, control over PII is returned to the individual where it belongs.Moreover, by automatically determining active context profiles, user canpreset their desired permissions, and then be assured that thosepermissions will be observed even without the user affirmativelychanging the permissions or selecting an active profile.

BRIEF DESCRIPTION OF THE DRAWINGS

The implementations disclosed herein are illustrated by way of example,and not by way of limitation, in the figures of the accompanyingdrawings. Like reference numerals refer to corresponding partsthroughout the drawings.

FIGS. 1A-1B are block diagrams illustrating a client-server environment,in accordance with some implementations.

FIG. 2 is a block diagram illustrating a client computer device, inaccordance with some implementations.

FIG. 3 is a block diagram illustrating a requesting computer device, inaccordance with some implementations.

FIG. 4 is a block diagram illustrating a server computer device, inaccordance with some implementations.

FIGS. 5A-5C are flow diagrams illustrating a method for providing accessto personal information (PII) of a user, in accordance with someimplementations.

DETAILED DESCRIPTION

Attention is now directed to the figures, and in particular to FIG. 1A,which is a block diagram of a client-server environment 100, accordingto some implementations, in which context-specific sharing permissionsare facilitated by a central hub server. The client-server environment100 includes client devices 102-1 . . . 102-n, a hub server 104, andrequesting devices 108-1 . . . 108-n, all connected through a network110. The network 110 includes any of a variety of networks, includingwide area networks (WAN), local area networks (LAN), Personal AreaNetworks, metropolitan area networks, VPNs, local peer-to-peer, ad-hocconnections, wireless networks, wired networks, the Internet, or acombination of such networks.

In some implementations, the client device 102-1 is associated with anindividual. In some implementations, the client device 102-1 includes aclient application 112 that facilitates the transmission of PII to otherdevices, such as the hub server 104 and/or requesting devices 108-n. Insome implementations, the client application 112 also facilitatesreceipt of information (e.g., targeted advertisements and/or othercontent) from other devices, such as the hub server 104 and/orrequesting devices 108-n. In some implementations, the PII transmittedfrom the client device 102-1 to other devices includes informationresulting from direct interactions with the client device 102-1 (e.g.,internet browsing history, user profiles, location information,application usage information, device operational information/logs,etc.). In some implementations, the PII transmitted from the clientdevice 102-1 to other device includes information received by the clientdevice 102-1 from other devices and/or peripherals, such as wearables,heart-rate monitors, occupancy sensors, health/medical/biometricsensors, connected home devices, drones, autonomous vehicles, othercomputing devices, etc.

In some implementations, the client device 102-1 also facilitatesrequesting and receiving user consent for sharing of PII, includingsharing of PII from the client device 102-1 to other devices and/orentities, and/or sharing of PII between other third-parties. Forexample, a user may be prompted, via the client device 102-1, to approveor deny a request for one third-party to share that user's PII withanother third-party.

In some implementations, the client device 102-1 also maintains orfacilitates maintenance of an “active” context profile of a user. Anactive context profile, discussed herein, relates to one or more aspectsof the user's current environment, current activity, and/or currentinterests. Context profiles include, for example, contexts such as“travel,” “home,” “shopping,” “driving,” “do not disturb,” “fitness,”“health emergency,” “work,” “social,” and the like. In someimplementations, the client device 102-1 automatically determines anactive context profile. This determination can be based on any one ormore of the following factors and/or criteria: time of day, device orapplication usage, browsing history, location (e.g., from GPS orotherwise), ambient light, ambient temperature, biometric information(e.g., from a biometric sensor), connected devices/accessories (e.g.,wearables, or a car's technology system), and the like. In someimplementations, other devices in addition to or instead of the clientdevice 102-1 maintain or facilitate maintenance of an active contextprofile. For example, the hub server 104 may communicate with the clientdevice 102-1 to maintain the user's active context profile. As anotherexample, peripheral devices may provide signals to the client device102-1 and/or the hub server 104. These signals are indicative of auser's context, or can be used, alone or in combination with othersignals, data, calendar entries, etc., to infer the user's context.

In some implementations, the client application 112 encrypts the PIIprior to sending it to the hub server 104 and/or the requesting devices108-n. The client device 102-1 and the client application 112, and thefunctions and methods that they perform, are discussed herein. Anydescription(s) of the client device 102-1, or of the functions ormethods performed by the client device 102-1, apply equally to any orall instances of the client devices 102-n. Exemplary client devicesinclude a desktop computer, a laptop computer, a tablet computer, amobile electronic device (e.g., a “smart watch,” a wearable electronicdevice, a fitness/health tracker, etc.), an internal electronic device(e.g., a security, monitoring, or medical device), a mobile phone (e.g.,a “smartphone”), a digital media player, or any other appropriateelectronic device.

In some implementations, the requesting device 108-1 is associated withan entity that receives, stores, uses, or otherwise accesses PII of anindividual. For example, a requesting device 108-1 may be associatedwith an entity or entities that use PII for any one or more of thefollowing reasons: targeting advertisements (or other content) toparticular individuals; sharing PII with other entities; aggregatingand/or storing PII;

In some implementations, the requesting device 108-1 communicates withone or both of the hub server 104 and the client device 102-1. Therequesting device 108-1 and the functions and methods that it performsare discussed herein. Any description(s) of the requesting device 108-1,or of the functions or methods performed by the requesting device 108-1,apply equally to any or all instances of the requesting devices 108-n.Exemplary requesting devices include a desktop computer, a laptopcomputer, a tablet computer, a mobile electronic device, a servercomputer (or server computer system), a mobile phone, a digital mediaplayer, or any other appropriate electronic device (or a kiosk housingany of the aforementioned devices). Exemplary devices may also includevehicles that contain such devices including cars, airplanes, trains andthe like—or occupancy spaces containing such devices includingbuildings, common areas, open spaces, natural environments and the like.

In some implementations, the hub server 104 is associated with a serviceprovider that can communicate, via the network 110 and/or othercommunication means, with multiple client devices (e.g., 102-n) andmultiple requesting devices (e.g., 108-n) to provide and/or facilitatepermissioning the sharing of PII between entities (including betweenindividuals and third-party entities, and between two or morethird-party entities). In some implementations, the hub server 104includes and/or communicates with a permissions database 106. Asdescribed herein, the permissions database 106 stores permissioninformation associated with users, including, but not limited to,previously granted permissions for requesting entities to access, use,or share PII; the context profiles under which PII (or certain types ofPII) may be shared, accessed, or used by requesting entities; etc. As aspecific example, the permissions database 106 stores informationindicating that a particular user's heart rate information may be sharedwith a first subset of third parties when the user's active contextprofile is “fitness,” a second set of third parties when the user'sactive context profile is “health emergency,” and no third parties whenthe user's active context profile is anything else.

FIG. 1B, is another block diagram of the client-server environment 100,according to some implementations, showing exemplary communicationsbetween a client environment 114 and a requesting device 108-1 forprovisioning and sharing PII.

FIG. 1B includes a client environment 114. The client environment 114includes a client device 102-1 in communication with the hub server 104,as well as zero or more additional devices in communication with the hubserver 104 and/or the client device 102-1. Dotted lines in FIG. 1Brepresent communications whose transmission or reception may becontingent upon approval or permission granted by the profile-based PIIgateway 116. (Other communications in FIG. 1B may also be contingent onsuch approval or permission by the profile-based PII gateway 116 or anyother component of the client-server environment 100, including otherdevices/components not shown.)

In some implementations, zero or more of the electronic devices in theclient environment 114 also bypass (or are capable of bypassing) the hubserver 104 to communicate directly with a requesting device 108-1.Electronic devices that communicate directly to the hub server 104and/or the requesting device 108-1 are themselves considered to beclient devices 102. Electronic devices that only or principallycommunicate with the hub server 104 and/or the requesting device 108-1through a separate client device 102-1 are considered to be peripheraldevices. As an example, a pedometer that communicates to a client device102-1 via BLUETOOTH or other short-range communication technology is anexample of a peripheral device.

In some implementations, the additional devices include globalpositioning (GPS) devices (e.g., vehicle or personal navigationdevices), drones, RFID tags, iBeacons, heart-rate monitors, personalcomputers, health/medical/biometric sensors (e.g., blood pressuremonitors, galvanic skin response sensors, body temperatures sensors,etc.), occupancy sensors, or the like—effectively any device which canor will be able to collect information which might be used eitherindividually or as part of a set of information that constitutes PII.

FIG. 1B illustrates an exemplary process whereby a requesting devicerequests to access or use PII of a particular individual by sending arequest to a hub server. The requesting device can initiate a request inresponse to a user input, or automatically (e.g., in response to anautomatic detection of a condition.) The hub server facilitates theprocess of requesting and receiving permissions, restrictions, and/orauthorizations from the individual, and providing the requested PII (orauthorizing use of the PII) by the requesting device.

More specifically, the requesting device 108-1 sends a PII access/userequest (“request”) to the hub server 104. In some implementations, therequest specifies one or more of: the particular PII being requested(e.g., the user's internet browsing history, the user's heart rate,etc.), what the information may used for, when the information may beused, whether (and with whom) the information may be shared, and thelike. In some implementations, the request is accompanied with anidentifier of a particular individual. For example, the entityassociated with the hub server 104 (i.e., the company or entity thatcontrols, operates, or is otherwise responsible for the hub server 104or the services provided thereby) provides individual clients with aunique identifier. Individuals may share this identifier with thirdparties, who may then request information, from the hub server 104,about the associated individual. By routing PII permissioning requestsfrom multiple third parties through the hub server 104, control oversuch requests is centralized and standardized, allowing users a singleand simple point of contact to control who has access to their PII, aswell as what it may be used for, and when it may be used and/orreceived.

In response to receiving a request from a requesting device 108-1, thehub server 104 processes the request and sends a corresponding request(or forwards the request from the requesting device 108-1) to a deviceassociated with the individual identified in the request.

The individual receives the request from the hub server. As noted above,the request includes information about the requesting entity as well asinformation about the particular PII being requested and how/when/forwhat purpose the PII will be used. In some implementations, the user isproactively alerted to the request, such as with a popup message on ascreen, an audible alert, a notification icon, or the like. In someimplementations, the request is placed into an inbox or queue ofrequests that the user reviews at any convenient time.

In some implementations, instead of sending a request to the user, therequest is validated against a set of rules established by the user(either on their device or on the gateway), and is then furthervalidated against their active context. Responses are thus automaticallymanaged based on the pre-established rules and the user's activecontext.

One or more devices associated with the client environment 114 (e.g.,the client device 102-1) sends PII permissions back to the hub server104. In some implementations, the returned permissions include approvalor denial of the request (in whole or in part, as described herein), aswell as assignments of particular context profiles for which thepermissions are granted. For example, a requesting device 108-1 may senda request to continuously receive the user's heart rate information forthe purpose of monitoring and tracking the user's heart rate exertionlevels and overall fitness. In response, the user may authorize therequestor to receive and use the date only when the user's “fitness”context profile is active, and restrict the access and/or use of theheart rate information when any other context profile is active. The hubserver 104 stores the permissions received from individuals in thepermissions database 106.

In some implementations, if the individual approves the request for PII(and, optionally, one or more other conditions are satisfied), therequested PII is sent to the requesting device 108-1, either directly orthrough the hub server 104.

In some implementations, the hub server 104 includes a profile-based PIIgateway 116 that limits access to and/or use of PII data based on theactive context profile of the user and the stored permissions granted tothe requesting entities. For example, any time a requesting entitywishes to access and/or use PII of a particular user, it must confirmwith the hub server 104 whether it is authorized to do so at that time.In response to receiving such a request, the profile-based PII gateway116 determines the user's active context profile, and then determineswhether the user has permitted the requested PII to be shared with therequesting entity when that particular context profile is active.Additionally, in some implementations, a user may elect to initiate theprocess of sharing PII, in order to facilitate a transaction, forexample (or for any purpose). In such instance, the user selects acontext and initiates outbound sharing of information (includingselected PII) with an entity, subject to any rules and/or restrictionsimposed by the hub server 104, the profile-based PII gateway 116, and/orany rules or restrictions associated with the user's context profiles.

As a specific example, if an entity requests heart rate information froma particular user, the profile-based PII gateway 116 determines that theuser's active context profile is “fitness,” and further determines thatthe user has authorized heart-rate information to be shared with therequesting entity when the “fitness” context profile is active. Thus,the profile-based PII gateway 116 will either (i) send the heart rateinformation to the requestor, (ii) inform the client device 1024 to sendthe heart rate information to the requestor, and/or (iii) inform therequestor that they are permitted to request the heart rate informationfrom the client device 102-1.

While FIG. 1B shows PII being sent directly from the client environment114 to a requesting device 108-1, in some implementations, thiscommunication is still governed by the profile-based PII gateway 116.For example, the PII will only be sent to the requesting device 108-1once either or both of the requesting device 108-1 and the client device102-1 have received confirmation from the profile-based PII gateway 116that the communication is authorized.

The profile-based PII gateway 116 also controls whether a requestingdevice 108-1 is permitted to contact an individual with advertisements,offers, or other communications. In some implementations, the requestingdevice 108-1 sends an advertisement, offer, or other communication tothe hub server 104, and the profile-based PII gateway 116 determineswhether the individual's permissions allow that particular party to sendcommunications to the individual based on the active context profile. Ifso, the communication is forwarded to the client device 102-1. If not,it is not forwarded to the client device 102-1 (though it might bestored for retrieval and review at a later stage by the user once anappropriate context profile becomes active). Alternatively, instead ofsending the communication to the hub server 104, the requesting device108-1 may request approval to send information to the client device, andthe profile-based PII gateway 116 responds with an approval or a denial,and the requesting device 108-1 reacts accordingly by either sending ornot sending the communication as appropriate.

The profile-based PII gateway 116 allows users to establish permissionsrelated to their PII and the third parties that can access their PIIsuch that they share and receive information in a way that is relevantto their current context. For example, permitting the sharing ofclothing size information to times when the user is in a “shopping”profile helps ensure that the user is not accosted with offers,advertisements, or other communications related to clothes shopping whenthe user is in a different context profile, such as “work,” or“vacation.” It also helps provide the user with offers, advertisements,or other communications that are particularly relevant and timely totheir active context profile. Thus, when the user is in a “shopping”profile, he or she will be more likely to receive content related toclothing than to nearby athletic events or restaurants near his or herplace of work, for example.

Imposing a limited set of permissions, however, can negatively impactthe exposure of a user to desirable information. For example, limitingthe third parties who may receive PII or contact a user with offers,advertisements, or other communications (or when they are permitted todo so) may prevent the user from learning about a product or servicethat they might be interested in. Accordingly, in some implementations,users are able to increase the permissions granted to one or more thirdparties such that additional PII is accessible to the third partiesand/or the third parties can communicate to the user in additional waysor in additional contexts. Moreover, the hub server 104 allows users tochange permissions of multiple third parties at one time, allowing themthe benefit of increased exposure to desirable content without themhaving to individually change the permissions for each third party.Instead, the user can enter a “discovery mode” where additionalpermissions are granted to new and/or different third parties.Thereafter, the user can, with only a single request, exit the discoverymode and return each third party to the previously applicablepermissions.

Discovery mode affects any of multiple possible permissions. In someimplementations, discovery mode allows for the creation of an InterimPrivacy Policy (IPP) with additional third parties, giving them therights and receive and access a user's PII, or allowing additional thirdparties to contact a user. For example, a user's permissions may onlyallow a few specific third parties to access PII or send advertisementsor offers to the user. When discovery mode is active, however,additional third parties are granted permissions to access the user'sPII or send communications to the user. For another example, a usermight be shopping for life insurance and under their normal mode wouldonly be sharing their relevant PII (e.g., height, age, weight, healthhistory, heart rate data, fitness data, blood chemistry, etc) withentities already approved by them to receive such information. Byentering discovery mode, the user can permission and share thisinformation with a broad set of competitors offering life insuranceproducts, such that each has the same PII information and thus the usercan receive a wide set of competitive and accurate personalized quotes.The permissioning of this PII data by the user while in discovery modecreates an IPP and thus enables the other providers to legally have therights to use the users PII to help them bid for the business. Once thediscovery mode is closed, the IPP ends and the related permissionceases.

In some implementations, discovery mode allows third parties to accessadditional PII information than they otherwise would not be permitted toaccess. For example, under normal operating modes, a retailer may bepermitted to access a user's clothing sizes, whereas in discovery mode,that same retailer (and/or additional retailers) may also be permittedto access a user's browsing history, location, and the like.

In some implementations, discovery mode allows third parties to contactthe user via additional communications options. For example, undernormal operating modes, a third party may only be permitted to sendemails to the user, whereas in discovery mode, that same third party(and/or additional third parties) may also be permitted to contact theuser with text messages, pop-up advertisements, banner advertisements,displays on wearables, etc. As another example, under normal operatingmodes, a third party may only be permitted to send communications to auser's desktop computer, whereas in discovery mode, that same thirdparty (and/or additional third parties) may also be permitted to contactthe user on any associated electronic device (e.g., television,smartphone, wearable, vehicle “infotainment” system, etc.

Of course, discovery mode need not grant unlimited permissions to allthird parties. Rather, in some implementations, a user can select howdiscovery mode affects the permissions granted to third parties. Forexample, one user may configure discovery mode such that permissions aregranted to any and all third parties to access the user's PII and/orsend communications to the user, and for any subject area. Another user,by contrast, may configure discovery mode such that only a small numberof additional third parties are permitted to access the user's PIIand/or send communications to the user. Accordingly, in someimplementations, the behavior of discovery mode is user-specific anduser-configurable.

In some implementations, additional modes, in addition to discoverymode, grant additional and/or different permissions to third partieswhen they are active. For example, in some implementations, an emergencymode allows any and all PII that may be helpful to rescue a user is sentto emergency responders, health professionals, family members, and/orthe like (or access to PII is granted to the foregoing entities). SuchPII may include, without limitation, current location, currentmedications, preexisting health conditions, medical records, and anyappropriate biometric information such as heart rate, blood pressure,blood sugar levels, galvanic skin response, body temperature, etc. Thus,like discovery mode, emergency mode changes and/or overrides thepermissions that are otherwise active as a result of a particularcontext profile being active. Thus, for example, if a user's activecontext profile has very few permissions (corresponding to a “do notdisturb” or “family time” mode), emergency mode will expand thepermissions so as to allow beneficial services to be provided to theuser.

In some implementations, emergency mode is entered automatically upondetection of a certain condition. For example, emergency mode may beentered upon detection that a user has been in a car accident (e.g.,based on accelerometer information from a smartphone, collision sensorsin a vehicle, etc.), or upon detection that the user is undergoing ahealth emergency (e.g., based on heart rate, blood sugar, or otherbiometric information), or the like.

In some implementations, in addition to or instead of automaticselection, emergency mode is entered manually by a user. For example, auser may select emergency mode at any appropriate time, such as afterbecoming injured.

FIG. 2 is a block diagram illustrating a client device 102-1, inaccordance with some implementations. While FIG. 2 illustrates oneinstance of a client device (i.e., client device 102-1), the figure andassociated description applies equally to any client device (e.g.,102-1-102-n).

In some implementations, the client device 102-1 is any of: a desktopcomputer, a laptop computer, a tablet computer, a mobile electronicdevice (e.g., a “smart watch,” a wearable electronic device, afitness/health tracker, etc.), a mobile phone (e.g., a “smartphone”), adigital media player, or any other appropriate electronic device.

The client device 102-1 typically includes one or more CPUs 204, a userinterface 206, at least one network communications interface 212 (wiredand/or wireless), an image capture device 214, a positioning system 216,a biometric capture device 217, memory 218, and at least onecommunication bus 202 for interconnecting these components. Eachcommunication bus 202 may include circuitry (sometimes called a chipset)that interconnects and controls communications between systemcomponents. In some implementations, the user interface 206 includes adisplay 208 and input device(s) 210 (e.g., keyboard, mouse, touchscreen,keypads, etc.).

The image capture device 214 is any device that is capable of capturingan image of a real-world scene or object. In some implementations, theimage capture device 214 is a digital camera (including any appropriatelens(es), sensor(s), and other components). In some implementations itmight be a remote image capturing device (e.g., on a drone or wearable).

The positioning system 216 includes devices and/or components fordetermining the location of the client device 102-1, including but notlimited to global positioning system (GPS) sensors, radio receivers(e.g., for cell-tower triangulation, WiFi-based positioning, etc.),inertial sensors, and accelerometers. In some implementations, theclient device 102-1 does not include (or does not rely on) a separatepositioning system 216. For example, where the client device 102-1 isconnected to the Internet (e.g., via the network communicationsinterface 212), the location of the client device 102-1 can bedetermined using IP address geolocation techniques. Other techniques fordetermining the location of the client device, including those that relyon an inbuilt or connected positioning system and those that do not, arealso contemplated. In some implementations, location may be defined bythe network being connected to (e.g., in an airplane, or train orbuilding) or other sensor information which might identify location.

The biometric capture device 217 includes devices and/or components forcapturing biometric data from a person. In some implementations, thebiometric capture device 217 is a fingerprint scanner. In someimplementations, it is a retinal scanner. In some implementations, it isa facial scanner. In some implementations it is a voice recognitionscanner. In some implementations, the biometric capture device 217 is amulti-purpose capture device that can capture multiple types ofbiometric data from a user (e.g., handprints, fingerprints, facialimages, etc.). In some implementations, biometric capture devices 217include any of a heart rate monitor, a galvanic skin response monitor, ablood sugar monitor, blood alcohol monitor, blood oxygen monitor, or anyother biometric monitor/sensor that might either be external orinternal. In some implementations, the biometric capture device 217 is aperipheral device (i.e., is not in the same housing as other componentsof the client device 102-1), and communicates with the client device102-1 via one or more communication links, including, for example,BLUETOOTH, WiFi, or any other appropriate wired or wirelesscommunication link(s).

Memory 218 includes high-speed random access memory, such as DRAM, SRAM,DDR RAM, or other random access solid state memory devices, and mayinclude non-volatile memory, such as one or more magnetic disk storagedevices, optical disk storage devices, flash memory devices, or othernon-volatile solid state storage devices. Memory 218 may optionallyinclude one or more storage devices remotely located from the CPU(s) 204(e.g., a network-connected storage device or service, such as a “cloud”based storage service). Memory 218, or alternately the non-volatilememory device(s) within memory 218, includes a non-transitory computerreadable storage medium. In some implementations, memory 218 or thecomputer readable storage medium of memory 218 stores the followingprograms, modules and data structures, or a subset thereof:

-   -   an operating system 220 that includes procedures for handling        various basic system services and for performing hardware        dependent tasks;    -   a communication module 222 that is used for connecting the        client device 102-1 to other computers via the one or more        network communication interfaces 212 (wired or wireless) and one        or more communication networks, such as the Internet, other Wide        Area Networks, Local Area Networks, Personal Area Networks,        Metropolitan Area Networks, VPNs, local peer-to-peer and/or        ad-hoc connections, and so on;    -   a user interface module 224 that receives commands and/or inputs        from a user via the user interface 206 (e.g., from the input        device(s) 210, which may include keyboard(s), touch screen(s),        microphone(s), pointing device(s), and the like), and provides        user interface objects on a display (e.g., the display 208);    -   an image capture device module 226 (including, for example,        applications, drivers, etc.) that works in conjunction with the        image capture device 214 to capture images, such as images or        scans of physical documents, faces, real-world scenes, etc.;    -   a biometric capture device module 227 that works in conjunction        with the biometric capture device 217 (and/or the image capture        device 214) for capturing biometric data of a user, including        data relating to any appropriate physical or biological        characteristic of a user;    -   a positioning system module 228 that, in conjunction with the        positioning system 216, determines a current location (e.g.,        latitude and longitude, street address, city, state,        municipality, etc.) of the client device 102-1; and    -   one or more client application module(s) 230 for enabling the        client device 102-1 to perform the methods and/or techniques        described herein, the client application module(s) 230 including        but not limited to:        -   a PII permissions management module 231 for receiving user            preferences relating to PII permissions, including what            third parties may receive/access PII, what PII may be            received/accessed by third parties, when PII may be            received/accessed by third parties, how third parties may            contact the user, what third parties may contact the user,            when third parties may contact the user, etc., and for            assigning permissions to one or more context profiles;        -   a context profile selection module 232 for receiving user            selections of an active context profile and for detecting            triggers for automatically selecting an active context            profile.

In some implementations, the client device 102-1 includes a subset ofthe components and modules shown in FIG. 2. Moreover, in someimplementations, the client device 102-1 includes additional componentsand/or modules not shown in FIG. 2.

FIG. 3 is a block diagram illustrating a requesting device 108-1, inaccordance with some implementations. While FIG. 3 illustrates oneinstance of a requesting device (i.e., requesting device 108-1), thefigure and associated description applies equally to any requestingdevice (e.g., 108-1-108-n).

In some implementations, the requesting device 108-1 is any of: adesktop computer, a laptop computer, a tablet computer, a servercomputer (or server system), a mobile electronic device, a mobile phone,a vehicle, a digital media player, or any other appropriate electronicdevice (or a kiosk housing any of the aforementioned devices).

The requesting device 108-1 typically includes one or more CPUs 304, auser interface 306, at least one network communications interface 312(wired and/or wireless), an image capture device 314, memory 318, and atleast one communication bus 302 for interconnecting these components.Each communication bus 302 may include circuitry (sometimes called achipset) that interconnects and controls communications between systemcomponents. In some implementations, the user interface 306 includes adisplay 308 and input device(s) 310 (e.g., keyboard, mouse, touchscreen,keypads, etc.).

The image capture device 314 is any device that is capable of capturingan image of a real-world scene or object. In some implementations, theimage capture device 314 is a digital camera (including any appropriatelens(es), sensor(s), or other components). In some implementations, theimage capture device is a scanner (e.g., a flatbed scanner). In someimplementations, the image capture device 314 is incorporated into acommon housing with the requesting device 108-1, or in a connected orexternal device capable of rendering image capture for the user (e.g., adrone etc).

Memory 318 includes high-speed random access memory, such as DRAM, SRAM,DDR RAM, or other random access solid state memory devices, and mayinclude non-volatile memory, such as one or more magnetic disk storagedevices, optical disk storage devices, flash memory devices, or othernon-volatile solid state storage devices. Memory 318 may optionallyinclude one or more storage devices remotely located from the CPU(s)304. Memory 318, or alternately the non-volatile memory device(s) withinmemory 318, includes a non-transitory computer readable storage medium.In some implementations, memory 318 or the computer readable storagemedium of memory 318 stores the following programs, modules and datastructures, or a subset thereof:

-   -   an operating system 320 that includes procedures for handling        various basic system services and for performing hardware        dependent tasks;    -   a communication module 322 that is used for connecting the        requesting device 108-1 to other computers via the one or more        network interfaces 312 (wired or wireless) and one or more        communication networks, such as the Internet, other Wide Area        Networks, Local Area Networks, Personal Area Networks,        Metropolitan Area Networks, VPNs, local peer-to-peer and/or        ad-hoc connections, and so on;    -   a user interface module 324 that receives commands and/or inputs        from a user via the user interface 306 (e.g., from the input        device(s) 310, which may include keyboard(s), touch screen(s),        microphone(s), pointing device(s), and the like), and provides        user interface objects on a display (e.g., the display 308);    -   an image capture device module 326 (including, for example,        applications, drivers, etc.) that works in conjunction with the        image capture device 314 to capture images, such as images or        scans of physical documents, faces, real-world scenes, etc.    -   one or more application module(s) 328 for enabling the        requesting device 108-1 to perform the methods and/or techniques        described herein, the application module(s) 328 including but        not limited to:        -   a PII permission requesting module 330 for requesting PII            permissions from one or more client devices and/or hub            servers; and        -   a PII permission database 332 for storing and managing            previously granted PII permissions;    -   a PII database 334 for storing PII, if authorized to do so,        subject to any and all permissions relating to the PIT; and    -   an ad/communication database 336 for storing advertisements        and/or other communications (e.g., content for email, physical        mail, text/sms/mms messages, popup messages, etc.) that can be        sent to client devices.

In some implementations, the requesting device 108-1 includes a subsetof the components and modules shown in FIG. 3. Moreover, in someimplementations, the requesting device 108-1 includes additionalcomponents and/or modules not shown in FIG. 3.

FIG. 4 is a block diagram illustrating a hub server 104, in accordancewith some implementations. In some implementations, the hub server 104is any of: a desktop computer, a laptop computer, a tablet computer, aserver computer (or server system), a mobile electronic device, a mobilephone, a digital media player, or any other appropriate electronicdevice (or a kiosk housing any of the aforementioned devices).

The hub server 104 typically includes one or more CPUs 404, a userinterface 406, at least one network communications interface 412 (wiredand/or wireless), memory 414, and at least one communication bus 402 forinterconnecting these components. Each communication bus 402 may includecircuitry (sometimes called a chipset) that interconnects and controlscommunications between system components. In some implementations, theuser interface 406 includes a display 408 and input device(s) 410 (e.g.,keyboard, mouse, touchscreen, keypads, etc.).

Memory 414 includes high-speed random access memory, such as DRAM, SRAM,DDR RAM, or other random access solid state memory devices, and mayinclude non-volatile memory, such as one or more magnetic disk storagedevices, optical disk storage devices, flash memory devices, or othernon-volatile solid state storage devices. Memory 414 may optionallyinclude one or more storage devices remotely located from the CPU(s)404. Memory 414, or alternately the non-volatile memory device(s) withinmemory 414, includes a non-transitory computer readable storage medium.In some implementations, memory 414 or the computer readable storagemedium of memory 414 stores the following programs, modules and datastructures, or a subset thereof:

-   -   an operating system 416 that includes procedures for handling        various basic system services and for performing hardware        dependent tasks;    -   a communication module 418 that is used for connecting the hub        server 104 to other computers via the one or more network        interfaces 412 (wired or wireless) and one or more communication        networks, such as the Internet, other Wide Area Networks, Local        Area Networks, Personal Area Networks, Metropolitan Area        Networks, VPNs, local peer-to-peer and/or ad-hoc connections,        and so on;    -   a user interface module 420 that receives commands and/or inputs        from a user via the user interface 406 (e.g., from the input        device(s) 410, which may include keyboard(s), touch screen(s),        microphone(s), pointing device(s), and the like), and provides        user interface objects on a display (e.g., the display 408);    -   one or more server application module(s) 422 for enabling the        server 104 to perform the methods and/or techniques described        herein, the server application module(s) 422 including but not        limited to:        -   a profile based PII gateway 116 for receiving PII requests            and/or communications directed to client devices from third            parties, for receiving responses from client devices, and            for forwarding communications from third parties to client            devices and vice versa, based on user's active context            profile and associated permissions;        -   a receiving module 426 for receiving information (e.g., PII)            from remote devices (e.g., client devices 102-n, requesting            devices 108-n), including but not limited to: documents,            verification ratings, data extracted from documents, account            information (e.g., name, address, social security number,            password, account recovery questions/answers, biometric            data, login credentials, etc.), etc.;        -   an optional encryption module 428 for encrypting user            information (including but not limited to documents,            verification ratings, data extracted from documents, account            information, or any PII) for secure storage, if the user            information was not encrypted before it was received by the            server 104;        -   an information packaging/encrypting module 432 for            gathering, packaging, and encrypting user information            (including but not limited to documents, verification            ratings, data extracted from documents, account information,            or any PII) to be sent to or otherwise accessed by a            requestor (e.g., an requesting device 108-n), and for            sending the information to the requestor;        -   a permissions database 106 that includes information            associated with a plurality of users; and        -   an ad/communication database 434 for storing advertisements            and/or other communications (e.g., content for email,            physical mail, text/sms/mms messages, popup messages, etc.)            that can be sent to client devices.

FIG. 4 further illustrates a portion of the user permissions database106 relating to a user account 436 for an exemplary user “n.” The useraccount 436 includes but is not limited to:

-   -   account information 438 associated with the user (e.g., name,        address, social security number, password, account recovery        questions/answers, biometric data, login credentials, etc.);    -   permission data 440 associated with a user, including what third        parties may receive/access PII, what PII may be        received/accessed by third parties, when PII may be        received/accessed by third parties, how third parties may        contact the user, what third parties may contact the user, when        third parties may contact the user, etc., and for assigning        permissions to one or more context profiles; and    -   context profiles 442 associated with the user, including, for        example, context profiles for work, travel, home, vacation,        shopping, driving, fitness, boating, do-not-disturb, and the        like.

In some implementations, any or all of the user information in thepermissions database 106 is encrypted. Moreover, in someimplementations, the service provider does not possess decryption keysfor the user information. Accordingly, the service provider and/or thehub server 104 are not able to decrypt, view, read, or modify userinformation.

In some implementations, the hub server 104 includes a subset of thecomponents and modules shown in FIG. 4. Moreover, in someimplementations, the hub server 104 includes additional componentsand/or modules not shown in FIG. 4.

FIGS. 5A-5C are flow diagrams illustrating a method 500 for providingaccess to personal information (PII) of a user, in accordance with someimplementations. Each of the operations shown in FIGS. 5A-5C maycorrespond to instructions stored in a computer memory or computerreadable storage medium. In some implementations, the steps areperformed at an electronic device with one or more processors (or cores)and memory storing one or more programs for execution by the one or moreprocessors (or cores). For example, in some implementations, the stepsare performed at any one (or any combination) of the client device102-1, the hub server 104, and the requesting device 108-1. Moreover,the individual steps of the method may be distributed among the multipleelectronic devices in any appropriate manner.

Any or all of the communications between devices described with respectto FIGS. 5A-5C are, in some implementations, secured and/or encryptedusing any appropriate security and/or encryption techniques, includingbut not limited to Hypertext Transport Protocol Secure (HTTPS), SecureSockets Layer (SSL), Transport Layer Security (TLS), Secure Shell (SSH),Internet Protocol Security (IPSec), public key encryption, and the like(including any appropriate yet to be developed security and/orencryption method).

The method includes establishing a plurality of context profiles for auser. In some implementations, context profiles are automaticallytriggered (e.g., a detection that user is in a car triggers a “travel”profile). In some implementations, context profiles relate to one ormore aspects of the user's environment, current activity, or currentinterest(s). In some implementations, the user manually selects anactive context profile.

The method further includes detecting an event associated with a requestfor personal information of the user. In some implementations, the eventcorresponds to a requesting entity asking for PII for a particular user,a requesting entity supplying a unique identifier of a particular user,etc.

The method further includes generating a request for consent orpermission to share the personal information of the user with a thirdparty. In some implementations, the request includes an option for theuser to approve or deny permission for select items of requestedinformation (i.e., less than or more than what is included in therequest), and an option for the user assign the permissions (or denialof the permissions) to particular profiles of the plurality of contextprofiles.

The method further includes sending, to the user, the request forconsent or permission to share the personal information of the user withthe third party.

The method further includes receiving, from the user, consent to shareat least a subset of the requested personal information with the thirdparty when at least a first context profile, of the plurality of contextprofiles, is active. In particular, consent is tied to specificprofiles; i.e., the user may consent to sharing of personal informationwith the particular third party in some profiles but not in otherprofiles. In some implementations, the method further comprisesreceiving, from the user, denial of consent to share at least a subsetof the requested personal information with the third party when at leasta second context profile, of the plurality of context profiles, isactive. Thus, for example, a user can permit a third party to accessand/or use PII (e.g., the user's height, weight, clothing size, andshopping habits) when the user is in a first profile (e.g., a “shopping”profile), but not when the user is in another profile (e.g., a “work”profile).

The method further includes determining an active context profile forthe user based on one or more signals indicative of the user's context.The signals can be from any of multiple devices, calendars, schedules orthe like. For example, a vehicle can send a signal to an appropriatedevice (e.g., a client device 102 and/or the hub server 104) when thevehicle is being driven to cause a “driving” context profile to beactive. In some implementations, the signals indicative of the user'scontext correspond to a manual selection of a particular contextprofile.

The method further includes determining whether the active contextprofile matches the first context profile. In accordance with adetermination that the active context profile matches the first contextprofile, the method includes sharing the personal information of theuser with the third party. In accordance with a determination that theactive context profile does not match the first context profile, themethod includes not sharing the personal information of the user withthe third party.

In some implementations, detecting the event associated with the requestfor personal information of the user comprises receiving a request forthe personal information of the user.

In some implementations, the active context profile for the user isdetermined automatically without user input. For example, the activecontext profile is based on heuristics about the user's location,activity, etc., including whether the user is driving, working out, athome, at work, at a shopping establishment, etc.

In some implementations, the method further includes, in accordance witha determination that the active context profile matches the firstcontext profile, permitting the third party to contact the user. Thethird party may be permitted to contact the user via any appropriatecommunication technique, including a banner advertisement, directmessage (email, text, etc.), voice call/alert, and the like. Inaccordance with a determination that the active context profile does notmatch the first context profile, the method further includes notpermitting the third party to contact the user.

In some implementations, the method further includes receiving acommunication from the third party. The communication is addressed to orotherwise intended for a particular user. The method further includes,in accordance with a determination that the active context profilematches the first context profile, forwarding the communication (e.g.,an email, text, ad banner, voice call/alert, etc.) to the user. Inaccordance with a determination that the active context profile does notmatch the first context profile, the method includes not forwarding thecommunication to the user.

Also described is a method for providing increased permissions topersonal information of a user (e.g., via a “discovery” mode), inaccordance with some implementations. In some implementations, the stepsare performed at an electronic device with one or more processors (orcores) and memory storing one or more programs for execution by the oneor more processors (or cores). For example, in some implementations, thesteps are performed at any one (or any combination) of the client device102-1, the hub server 104, and the requesting device 108-1. Moreover,the individual steps of the method may be distributed among the multipleelectronic devices in any appropriate manner.

Any or all of the communications between devices described with respectto FIGS. 5A-5C are, in some implementations, secured and/or encryptedusing any appropriate security and/or encryption techniques, includingbut not limited to Hypertext Transport Protocol Secure (HTTPS), SecureSockets Layer (SSL), Transport Layer Security (TLS), Secure Shell (SSH),Internet Protocol Security (IPSec), public key encryption, and the like(including any appropriate yet to be developed security and/orencryption method).

The method includes establishing a plurality of context profiles for auser, wherein at least one context profile of the plurality of contextprofiles is associated with one or more of the following:

-   -   A set of one or more subject areas pertinent to the at least one        context profile. Subject areas pertinent to a context profile        include categories of goods or services that are relevant to a        particular context. For example, subject areas pertinent to a        travel profile include, for example, gas stations, food, auto        repair, etc. Subject areas pertinent to a home profile include,        for example, television/entertainment information, food        delivery, home goods, etc. Subject areas pertinent to a shopping        profile include, for example, retail stores, clothes,        electronics, any product classes associated with a user profile,        etc.    -   A first set of zero or more permissions identifying respective        third parties with which personal information can be shared when        the at least one context profile is active. In particular, each        context profile identifies with whom PII can be shared (and/or        who can use the user's PII) when that context profile is active.    -   A second set of zero or more permissions identifying what        personal information can be shared with respective third parties        when the at least one context profile is active. In particular,        each context profile identifies zero or more categories,        classes, or instances of personally identifiable information        that can be shared with or accessed/used by respective third        parties. For example, the second set of permissions may include        a permission indicating that heart rate and location information        can be shared with a particular fitness monitoring service when        the active context is “fitness.”    -   A third set of zero or more permissions identifying respective        third parties that are permitted to contact the user when the at        least one context profile is active. In particular, only some        third parties (e.g., retailers, advertisers, service providers,        etc.) are permitted to contact the user when a particular        profile is active. For example, a clothing retailer may be        permitted to contact the user (e.g., via email, banner        advertisement, etc.) when the user's “shopping” profile is        active.    -   A fourth set of zero or more permissions identifying how        respective third parties may contact the user when the at least        one context profile is active (e.g., via email, banner        advertisements (browser/application based), etc. when the at        least one context profile is active:

The method further includes, when operating in a regular mode,performing at least one of the following actions. (In someimplementations, a regular mode corresponds to a mode where theestablished permissions associated with the context profile areenforced; e.g., only approved third parties can receive approvedinformation, and only approved third parties can contact the user, andonly via approved communication types.)

-   -   Sharing personal information with respective third parties in        accordance with the first set of one or more permissions and the        second set of one or more permissions (e.g., providing PII to        certain third parties and refusing to provide PII to other third        parties).    -   Receiving information from respective third parties in        accordance with the third set of one or more permissions and the        fourth set of one or more permissions (e.g., receiving emails,        advertisements, text messages, banner ads, etc., from certain        third parties, and refusing to receive communications from other        third parties)

The method further includes, when in a discovery mode, performing atleast one of the following. (In some implementations, a discovery modecorresponds to a mode where the context of the profile still applies,but additional permissions are granted, for example, to allow othernot-yet-approved third parties access a user, and/or to allow thirdparties to access a user via additional communications methodologiesthat were not previously permitted (e.g., banner ads are allowed from aparticular third party when in discovery mode, but are otherwisedisallowed)).

-   -   Sharing personal information with first additional third parties        in accordance with an expanded version of the first set of zero        or more permissions. For example, when a shopping profile is        active, a user may allow a certain set of retailers to receive        and/or use PII. In the discovery mode, however, additional        retailers who are not otherwise permitted to receive and/or use        PII will be permitted to do so. In some implementations, the        first additional third parties are each associated with at least        one subject area of the set of one or more subject areas        pertinent to the at least one context profile. Thus, if a        discovery mode for a travel context profile will only grant        expanded permissions to additional third parties who are        associated with subject areas such as gas stations, food, auto        repair, etc.    -   Sharing additional personal information with respective third        parties in accordance with an expanded version of the second set        of zero or more permissions. For example, when a shopping        profile is active, a user's clothing size may be shared with a        particular set of third parties. In the discovery mode,        additional information is shared, such as the user's age,        purchase history, previous purchases, location, and the like.    -   Receiving information from second additional third parties in        accordance with an expanded version of the third set of zero or        more permissions. For example, in a shopping profile, certain        retailers are permitted to send information, such as        advertisements, emails, and the like, to the user. In discovery        mode, additional retailers would be permitted to do so. In some        implementations, the second additional third parties are each        associated with at least one subject area of the set of one or        more subject areas pertinent to the at least one context        profile. For example, in a shopping profile, the additional        third parties may be restricted to other retailers. Thus, while        additional, otherwise unauthorized third parties may send        information to the user, the information would still be        pertinent to the user's otherwise active context profile.    -   Receiving information from respective third parties in        accordance with an expanded version of the fourth set of zero or        more permissions. As noted above, the fourth set of permissions        relates to how a third party can contact a user. Accordingly, an        expanded version of the fourth set of permissions allows third        parties to use additional modes of communication that are not        otherwise permitted. For example, a retailer that is only        permitted to contact the user by email when the normal mode is        active would be able to use additional modes of communication        (e.g., text messages, pop-up ads, etc.) when the discovery mode        is active.

As noted above, discovery mode need not grant full permissions to allpossible third parties. Rather, the additional permissions granted indiscovery mode may be established by each individual user, and may beonly a small increase in permissions.

In some implementations, the fourth set of one or more permissionsidentifying how third parties may contact the user includes a firstsubset of permissions identifying times when third parties are permittedto contact the user; and a second subset of permissions identifyingcommunication types that third parties are permitted to use to contactthe user.

In some implementations, the fourth set of one or more permissionsidentifying how third parties may contact the user includes a thirdsubset of permissions identifying times when third parties are notpermitted to contact the user; and a fourth subset of permissionsidentifying communication types that third parties are not permitted touse to contact the user.

The methods illustrated in FIGS. 5A-5C and described above may begoverned by instructions that are stored in a computer readable storagemedium and that are executed by at least one processor of at least oneelectronic device (e.g., one or more client devices 102-n, one or morerequesting devices 108-n, or a hub server 104). Each of the operationsshown in FIGS. 5A-5C may correspond to instructions stored in anon-transitory computer memory or computer readable storage medium. Invarious implementations, the non-transitory computer readable storagemedium includes a magnetic or optical disk storage device, solid statestorage devices, such as Flash memory, or other non-volatile memorydevice or devices. The computer readable instructions stored on thenon-transitory computer readable storage medium may be in source code,assembly language code, object code, or other instruction format that isinterpreted and/or executable by one or more processors (or cores).

Plural instances may be provided for components, operations, orstructures described herein as a single instance. Finally, boundariesbetween various components, operations, and data stores are somewhatarbitrary, and particular operations are illustrated in the context ofspecific illustrative configurations. Other allocations of functionalityare envisioned and may fall within the scope of the implementation(s).In general, structures and functionality presented as separatecomponents in the example configurations may be implemented as acombined structure or component. Similarly, structures and functionalitypresented as a single component may be implemented as separatecomponents. These and other variations, modifications, additions, andimprovements fall within the scope of the implementation(s).

It will also be understood that, although the terms “first,” “second,”etc. may be used herein to describe various elements, these elementsshould not be limited by these terms. These terms are only used todistinguish one element from another. For example, a first contact couldbe termed a second contact, and, similarly, a second contact could betermed a first contact, which changing the meaning of the description,so long as all occurrences of the “first contact” are renamedconsistently and all occurrences of the second contact are renamedconsistently. The first contact and the second contact are bothcontacts, but they are not the same contact.

The terminology used herein is for the purpose of describing particularimplementations only and is not intended to be limiting of the claims.As used in the description of the implementations and the appendedclaims, the singular forms “a”, “an” and “the” are intended to includethe plural forms as well, unless the context clearly indicatesotherwise. It will also be understood that the term “and/or” as usedherein refers to and encompasses any and all possible combinations ofone or more of the associated listed items. It will be furtherunderstood that the terms “comprises” and/or “comprising,” when used inthis specification, specify the presence of stated features, integers,steps, operations, elements, and/or components, but do not preclude thepresence or addition of one or more other features, integers, steps,operations, elements, components, and/or groups thereof.

As used herein, the term “if” may be construed to mean “when” or “upon”or “in response to determining” or “in accordance with a determination”or “in response to detecting,” that a stated condition precedent istrue, depending on the context. Similarly, the phrase “if it isdetermined (that a stated condition precedent is true)” or “if (a statedcondition precedent is true)” or “when (a stated condition precedent istrue)” may be construed to mean “upon determining” or “in response todetermining” or “in accordance with a determination” or “upon detecting”or “in response to detecting” that the stated condition precedent istrue, depending on the context.

The foregoing description included example systems, methods, techniques,instruction sequences, and computing machine program products thatembody illustrative implementations. For purposes of explanation,numerous specific details were set forth in order to provide anunderstanding of various implementations of the inventive subjectmatter. It will be evident, however, to those skilled in the art thatimplementations of the inventive subject matter may be practiced withoutthese specific details. In general, well-known instruction instances,protocols, structures and techniques have not been shown in detail.

The foregoing description, for purpose of explanation, has beendescribed with reference to specific implementations. However, theillustrative discussions above are not intended to be exhaustive or tolimit the implementations to the precise forms disclosed. Manymodifications and variations are possible in view of the aboveteachings. The implementations were chosen and described in order tobest explain the principles and their practical applications, to therebyenable others skilled in the art to best utilize the implementations andvarious implementations with various modifications as are suited to theparticular use contemplated.

1-20. (canceled)
 21. A method for providing access to personalinformation of a user, comprising: at a server system including one ormore electronic devices with one or more processors and memory storingone or more programs for execution by the one or more processors:establishing a plurality of context profiles for a user; detecting anevent associated with a request for personal information of the user;generating a request for consent to share the personal information ofthe user with a third party; sending, to the user, the request forconsent to share the personal information of the user with the thirdparty; receiving, from the user, consent to share at least a subset ofthe requested personal information with the third party when at least afirst context profile, of the plurality of context profiles, is active;determining an active context profile for the user based on one or moresignals indicative of the user's context; determining whether the activecontext profile matches the first context profile; in accordance with adetermination that the active context profile matches the first contextprofile, facilitating sharing of the personal information of the userwith the third party; and in accordance with a determination that theactive context profile does not match the first context profile, notfacilitating sharing of the personal information of the user with thethird party.
 22. The method of claim 21, wherein detecting the eventassociated with the request for personal information of the usercomprises receiving a request for the personal information of the user.23. The method of claim 21, wherein the active context profile for theuser is determined automatically without user input.
 24. The method ofclaim 21, further comprising: in accordance with a determination thatthe active context profile matches the first context profile, allowingthe third party to contact the user; and in accordance with adetermination that the active context profile does not match the firstcontext profile, not allowing the third party to contact the user. 25.The method of claim 21, further comprising: receiving a communicationfrom the third party; in accordance with a determination that the activecontext profile matches the first context profile, forwarding thecommunication to the user; and in accordance with a determination thatthe active context profile does not match the first context profile, notforwarding the communication to the user.
 26. The method of claim 21,further comprising: in accordance with a determination that the activecontext profile matches the first context profile, allowing the thirdparty to communicate directly with the user; and in accordance with adetermination that the active context profile does not match the firstcontext profile, not allowing the third party to communicate directlywith the user.
 27. The method of claim 21, wherein the plurality ofcontext profiles is stored on a first electronic device of the one ormore electronic devices, wherein the personal information of the user isstored on a second electronic device of the one or more electronicdevices, the second electronic device is distinct from the firstelectronic device.
 28. A system including one or more electronicdevices, comprising: one or more processors; memory; and one or moreprograms, wherein the one or more programs are stored in the memory andconfigured to be executed by the one or more processors, the one or moreprograms including instructions for: establishing a plurality of contextprofiles for a user; detecting an event associated with a request forpersonal information of the user; generating a request for consent toshare the personal information of the user with a third party; sending,to the user, the request for consent to share the personal informationof the user with the third party; receiving, from the user, consent toshare at least a subset of the requested personal information with thethird party when at least a first context profile, of the plurality ofcontext profiles, is active; determining an active context profile forthe user based on one or more signals indicative of the user's context;determining whether the active context profile matches the first contextprofile; in accordance with a determination that the active contextprofile matches the first context profile, facilitating sharing of thepersonal information of the user with the third party; and in accordancewith a determination that the active context profile does not match thefirst context profile, not facilitating sharing of the personalinformation of the user with the third party.
 29. The system of claim28, wherein detecting the event associated with the request for personalinformation of the user comprises receiving a request for the personalinformation of the user.
 30. The system of claim 28, wherein the activecontext profile for the user is determined automatically without userinput.
 31. The system of claim 28, wherein the one or more programsfurther include instructions for: in accordance with a determinationthat the active context profile matches the first context profile,allowing the third party to contact the user; and in accordance with adetermination that the active context profile does not match the firstcontext profile, not allowing the third party to contact the user. 32.The system of claim 28, wherein the one or more programs further includeinstructions for: receiving a communication from the third party; inaccordance with a determination that the active context profile matchesthe first context profile, forwarding the communication to the user; andin accordance with a determination that the active context profile doesnot match the first context profile, not forwarding the communication tothe user.
 33. The system of claim 28, wherein the one or more programsfurther include instructions for: in accordance with a determinationthat the active context profile matches the first context profile,allowing the third party to communicate directly with the user; and inaccordance with a determination that the active context profile does notmatch the first context profile, not allowing the third party tocommunicate directly with the user.
 34. The system of claim 28, whereinthe plurality of context profiles is stored on a first electronic deviceof the one or more electronic devices, wherein the personal informationof the user is stored on a second electronic device of the one or moreelectronic devices, the second electronic device is distinct from thefirst electronic device.
 35. A non-transitory computer readable storagemedium storing one or more programs comprising instructions, which whenexecuted by one or more electronic devices, cause the one or moredevices to: establish a plurality of context profiles for a user; detectan event associated with a request for personal information of the user;generate a request for consent to share the personal information of theuser with a third party; send, to the user, the request for consent toshare the personal information of the user with the third party;receive, from the user, consent to share at least a subset of therequested personal information with the third party when at least afirst context profile, of the plurality of context profiles, is active;determine an active context profile for the user based on one or moresignals indicative of the user's context; determine whether the activecontext profile matches the first context profile; in accordance with adetermination that the active context profile matches the first contextprofile, facilitate sharing of the personal information of the user withthe third party; and in accordance with a determination that the activecontext profile does not match the first context profile, not facilitatesharing of the personal information of the user with the third party.36. The computer readable storage medium of claim 35, wherein detectingthe event associated with the request for personal information of theuser comprises receiving a request for the personal information of theuser.
 37. The computer readable storage medium of claim 35, wherein theactive context profile for the user is determined automatically withoutuser input.
 38. The computer readable storage medium of claim 35,further comprising instructions to: in accordance with a determinationthat the active context profile matches the first context profile, allowthe third party to contact the user; and in accordance with adetermination that the active context profile does not match the firstcontext profile, not allow the third party to contact the user.
 39. Thecomputer readable storage medium of claim 35, further comprisinginstructions to: receive a communication from the third party; inaccordance with a determination that the active context profile matchesthe first context profile, forward the communication to the user; and inaccordance with a determination that the active context profile does notmatch the first context profile, not forward the communication to theuser.
 40. The computer readable storage medium of claim 35, wherein theplurality of context profiles is stored on a first electronic device ofthe one or more electronic devices, wherein the personal information ofthe user is stored on a second electronic device of the one or moreelectronic devices, the second electronic device is distinct from thefirst electronic device.